Tips for making a new password and how passwords work

From what I have seen, many people use weak passwords. But it’s actually easy to make them strong. Let’s see.

First, do you know how passwords are stored on the servers? There are two main principles:

The first one is just storing it in the database as-is. It’s called plain-text format. That one is bad, because if someone reads the database (a hacker, server administrator, etc) – they can just see the password and can try to log in as you in a different service (unfortunately some people use the same password for several services). You can sometimes guess this type of storage if the service gives you some “maximum” restrictions. For example “maximum length of the password is 8 characters” or “You can use only alphanumerical characters and digits in your password”.

Second one is using a cryptographic hash (checksum). There are several algorithms for computing hashes from plain-text input. You give that function a plain-text and it returns a big number (hash). The returned hash is always the same for the same input. But knowing the hash only, it’s difficult to find the input it was generated for. In the database on the server, we just store that big number (hash) so when someone gets access to the database, they don’t have the plain-text passwords directly. There are a few methods of “breaking the hash” – one of them is using brute force – trying random inputs until the same hash is returned (that takes lots of time) or cryptanalysis. Different hash algorithms have different strength – some are better, others are weak. Sometimes a combination of algorithms is used to make the output computation more time-consuming and secure.

Here are my general suggestions for making your new password:

Use the first or last character of words in some easily-rememberable sentence. Example password “ildaced” from the sentence “I like drinking a coffee every day”.

Revert characters in words. Some passwords can be cracked using a dictionary of words. If you just reverse characters in a word, you will basically create a new word which won’t be in the dictionary. An example password tsrifeeffoc made from “first coffee”.

Use non-usual characters in the password. Characters like $!() etc are not used in bruteforce cracking normally.

Use different passwords for different services. It may be enough to just modify a character or two for each service. An example: fblackcat for Facebook.

Use a completely random password. This works but is difficult to remember. You may use an app wallet like KeePass or mSecure to store passwords but if someone gets access to your wallet, they will get all passwords immediately. To generate a random password, you can use this linux/mac terminal command: head -c 8 /dev/random | base64 | tr -d =